Fingerprinting Your Files

Fingerprinting Your Files

Three cryptographers at Stanford University recently came up with a clever solution to the persistent problem of identity theft on the Internet. Wily hackers in Russia, China, and other countries send out piles of e-mail messages looking like they came from some financial institution such as Citibank or Paypal. Millions of consumers get these messages, which have embedded HTML links in them that take the unsuspecting recipient to look-alike websites run in faraway places. You’re prompted to enter a username and password and thenwhamthe hacker has the keys to your bank account.

But good usernames and passwords typed at bad websites isnt the only such threat that consumers face. A potentially larger problem is that many people use the same username and password combination at multiple sites. This makes memorization easier, but it means that an unscrupulous website operator can take a list of usernames and passwords from, say, an Internet sweepstakes site and use it to try to break into online bank accounts.

So Stanford cryptographers Blake Ross, Dan Boneh, and John Mitchell have designed a clever plug-in for Internet Explorer that solves this problem by scrambling what you type into the password field so every website sees a different passworda password thats based both on what you type and on the domain of the website itself.

Now, lots of people use some variant on this strategy. Their Hotmail password might be nosmis-hotmail while their Yahoo! Personals password is nosmis-Yahoo! But any strategy like this is pretty simple to decipher. The password scrambling method that the Stanford trio has devised is based on a mathematical function called a cryptographic hasha kind of one-way function that transforms what the user types into a jumble of numbers and letters in a way that cannot be reversed. Because the Stanford system calculates the cryptographic hash of both the websites domain and the users password, the hacker gets different passwords than the legitimate ones. (Click here to find details about this clever solution.)

One company thats using cryptographic hashes in a very public way is Yahoo! Last year, Yahoo! redesigned the login process to its website to make it sniff-proof. The standard way to do this is to use encryption. But encryption can be slowespecially when you are running one of the most popular sites on the Internet.

So what Yahoo! did instead was to modify its login page to use a so-called challenge-response system based on a cryptographic hash. When you try to log in, Yahoo!s server downloads to your browser a cryptographic hash function written in JavaScript. Along with this function is a “challenge”a short sequence of letters and numbers. When you type your password into the login screen, your browser takes your password, appends these characters provided by Yahoo!, and calculates the cryptographic hash of the resulting string. The browser then sends the resulting value back to Yahoo!, no encryption needed. Even if you are at a cybercafe having your Web traffic sniffed by Belgium hackers, theres no way for the bad guys to take the resulting hash value and derive your original password.

This clever “challenge-response” system is also at the base of the Mobil Speedpass system: its what makes the Speedpass radio frequency identification (RFID) tag so difficult to clone. Other RFID systems dont use challenge-response, which makes attacking them comparatively easy.